 "RBI proposes new rules of two-factor authentication for payments safety (1)")
RBI, Reserve Bank of India(Photo: Reuters)
The Reserve Bank of India (RBI) has introduced a new framework to improve security of digital payments through alternative authentication mechanisms. The initiative is part of RBI's ongoing commitment to safeguard digital transactions, particularly in the wake of rising cyber threats and the increasing sophistication of fraud techniques.
“The Reserve Bank of India has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (AFA) for making payments. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms,” said RBI in a press statement.
Overview of the new framework
More From This Section
On July 31, the RBI announced its draft framework for Alternative Authentication Mechanisms for Digital Payments, emphasising the need for an AFA during online transactions. While the prevalent method for AFA has been SMS-based One-Time Passwords (OTPs), the RBI acknowledges that advancements in technology have paved the way for more diverse and secure authentication methods.
The RBI's framework categorises authentication factors into three main types:
This new framework will be applicable to all digital transactions, with the exception of card-present transactions, small value contactless payments up to Rs 5,000, e-mandates for recurring payments, and small value offline digital transactions. Payment system providers and participants, including both banks and non-banks, must comply with these guidelines within three months of their issuance.
According to the proposed guidelines, all digital payment transactions, aside from card-present transactions, must incorporate a dynamically generated authentication factor. This factor, created at the time of payment and unique to each transaction, cannot be reused. The framework specifies that authentication factors may include:
Something the user knows: This includes passwords, passphrases, or PINs.
Something the user has: This refers to physical devices like ATM cards or software tokens.
Something the user is: This encompasses biometric identifiers such as fingerprints or facial recognition.
E-Mandate and KYC
RBI has stated that if no digital transaction has been conducted with a vendor within the last six months, the bank will need to redo KYC for the mandate. Additionally, to enhance convenience and ease of transactions, the RBI has introduced e-mandates for insurance premiums, mutual funds, credit card payments up to Rs 1 lakh, and other recurring transactions up to Rs 15,000.
The NPCI has clarified that only one bank will implement AePS. Banks and NPCI have a three-month window to comply with these guidelines. The RBI is also seeking public comments on these proposals until August 31.
Experts suggest RBI's new guidelines are expected to significantly impact both consumers and financial institutions. For consumers, the emphasis on multiple authentication factors will enhance the security of their digital transactions, reducing the risk of fraud and unauthorised access to their financial information.
